x509-ocsp: Basic X509 OCSP implementation

[ bsd3, data, library ] [ Propose Tags ]

Build X509 OCSP requests and parse responses


[Skip to Readme]

Downloads

Maintainer's Corner

Package maintainers

For package maintainers and hackage trustees

Candidates

  • No Candidates
Versions [RSS] 0.1.0.0, 0.1.1.0, 0.2.0.0, 0.3.0.0, 0.3.1.0, 0.4.0.0, 0.4.0.1 (info)
Change log Changelog.md
Dependencies asn1-encoding, asn1-types, base (>=4.8 && <5), bytestring, cryptohash-sha1, crypton-x509, crypton-x509-validation [details]
License BSD-3-Clause
Copyright 2024 Alexey Radkov
Author Alexey Radkov <alexey.radkov@gmail.com>
Maintainer Alexey Radkov <alexey.radkov@gmail.com>
Category Data
Home page https://github.com/lyokha/x509-ocsp
Source repo head: git clone https://github.com/lyokha/x509-ocsp.git
Uploaded by lyokha at 2024-07-09T08:21:55Z
Distributions NixOS:0.4.0.1
Downloads 206 total (18 in the last 30 days)
Rating (no votes yet) [estimated by Bayesian average]
Your Rating
  • λ
  • λ
  • λ
Status Docs uploaded by user
Build status unknown [no reports yet]

Readme for x509-ocsp-0.4.0.1

[back to package description]

Basic X509 OCSP implementation in Haskell

Build Status Hackage

This module helps building OCSP requests and parse OCSP responses in Haskell.

There are many scenarios of OCSP use. One of the simplest practical use cases for clients is sending OCSP requests to the OCSP responder upon validation of the server certificate during the TLS handshake. See the basic implementation of this scenario in directory client-ocsp. To test this scenario, run

$ cd test/client-ocsp
$ cabal build
$ nginx -c /path/to/x509-ocsp/test/client-ocsp/nginx.conf

You may need to make the root certificate trusted by the system before running Nginx. Below is how to do this in Fedora.

$ sudo trust anchor --store ../data/certs/root/rootCA.crt
$ sudo update-ca-trust

Now let's create a database file index.txt (its path must be equal to what written in clause database in file ../data/certs/openssl.cnf),

$ touch ../data/index.txt

and put there the server certificate.

$ openssl ca -valid ../data/certs/server/server.crt -keyfile ../data/certs/root/rootCA.key -cert ../data/certs/root/rootCA.crt -config ../data/certs/openssl.cnf

The certificate has good status because we used option -valid. Run OpenSSL OCSP responder in a separate terminal window to see what it will print out.

$ openssl ocsp -index ../data/index.txt -port 8081 -rsigner ../data/certs/root/rootCA.crt -rkey ../data/certs/root/rootCA.key -CA ../data/certs/root/rootCA.crt -text

Run the test. It should print Response: In backend 8010.

$ cabal run
Response: In backend 8010

The output of the OCSP responder must contain details of the request and the response.

Let's revoke the certificate.

$ openssl ca -revoke ../data/certs/server/server.crt -keyfile ../data/certs/root/rootCA.key -cert ../data/certs/root/rootCA.crt -config ../data/certs/openssl.cnf

Restart the OCSP responder and look at what cabal run will print (you may also run cabal run twice instead of restarting the responder).

$ cabal run
client-ocsp: HttpExceptionRequest Request {
  host                 = "localhost"
  port                 = 8010
  secure               = True
  requestHeaders       = []
  path                 = "/"
  queryString          = ""
  method               = "GET"
  proxy                = Nothing
  rawBody              = False
  redirectCount        = 10
  responseTimeout      = ResponseTimeoutDefault
  requestVersion       = HTTP/1.1
  proxySecureMode      = ProxySecureWithConnect
}
 (InternalException (HandshakeFailed (Error_Protocol "certificate rejected: [CacheSaysNo \"OCSP: bad certificate status OCSPRespCertRevoked\"]" CertificateUnknown)))

The certificate has been revoked and the handshake fails.